Arby's fast food chain falls victim to security breach

Arby’s, the fast food chain that proudly proclaims it has the meats, apparently also has something else – lax security.

Krebs on Security reported Thursday that sources at nearly half a dozen banks and credit unions reached out over the past 48 to inquire if they’d heard anything about a data breach involving the fast food chain. When probed on the matter, the restaurant confirmed the breach with the publication.

A spokesperson for Arby’s told Krebs that they first learned of an issue involving its payment card system in mid-January. The company immediately notified law enforcement and enlisted the help of leading security experts including Mandiant.

Malware was discovered on payment systems inside some of Arby’s corporate stores; franchised locations were not impacted. Arby’s said it had not gone public about the issue as per the FBI’s request.

Krebs notes that roughly a third of the 3,300 Arby’s locations in the US are corporate-owned.

The first rumblings, Krebs said, of a breach came as part of a non-public alert issued by PSCU, a service organization that serves more than 800 credit unions. Said alert mentioned a breach at an unnamed retailer that compromised more than 355,000 credit and debit cards issued by PCSU member banks.

Arby’s, meanwhile, declined to say how long the malware had been installed although the aforementioned report estimates the breach may have occurred between October 25, 2016, and January 19, 2017.